Programming Language-Based Security To Rescue

In line with the plan, the project has collected security requirements (WP1), and used them as input for work on security policies (WP2), security enforcement (WP3), and case studies (WP4). As a result, we have developed policy frameworks and enforcement mechanisms for confidentiality and integrity policies. Our practical enforcement is based on reference monitoring of the code. The monitor tracks security levels of data at runtime. The monitor blocks execution at an attempt of outputting sensitive information on a nonsensitive sink. Such a monitor is suitable for deployment by modifying runtime environment. We have developed our prototype, JSFlow http://www.jsflow.net , a security-enhanced JavaScript monitor for fine-grained tracking of information flow. We show how to resolve practical challenges for enforcing flexible information-flow policies for the full JavaScript language, as well as the challenges of tracking information in the presence of libraries, as provided by APIs. Our prototype implements JSFlow as a security-enhanced interpreter for JavaScript, itself written in JavaScript. The JavaScript as the implementation language has paved the way for the work on code rewriting.